I. Pre-Crisis Planning & Preparation
A. Risk Identification & Assessment
List Potential Crisis Scenarios:
- Data breaches and cybersecurity incidents
- Negative media or social media backlash
- Fraud or financial irregularities (internal or external)
- Misconduct by staff, leadership, or volunteers
- Fundraising campaign failures or donor dissatisfaction
- Regulatory non-compliance or legal challenges
- Natural disasters or other external emergencies affecting operations
Conduct Regular Risk Assessments:
- Schedule quarterly reviews to update risk profiles
- Engage with all departments (communications, IT, finance, etc.) to identify emerging threats
B. Develop a Crisis Management Plan (CMP)
Document Procedures & Protocols:
- Write a step-by-step guide for activating crisis protocols
- Define the chain of command and decision-making processes
- Include escalation procedures and contingency plans
Assemble a Crisis Management Team (CMT):
- Appoint a Crisis Manager/Leader
- Identify department representatives (communications, IT, legal, finance, operations)
- Establish a dedicated media spokesperson
- Maintain an updated, accessible contact list of all CMT members
Legal & Regulatory Readiness:
- Consult legal counsel to outline obligations and reporting requirements
- Review insurance policies for crisis-related coverage
- Prepare templates for regulatory notifications, if needed
C. Training & Simulations
Conduct Regular Training:
- Provide crisis management training to all staff
- Ensure that new hires are familiar with crisis protocols
Run Simulation Drills:
- Organize annual or biannual crisis simulations
- Debrief after drills and update the CMP based on feedback
Maintain Crisis Resources:
- Keep an accessible repository of crisis management documents, templates, and contact lists
- Ensure backup copies of all key documents (both digital and physical)
II. Early Detection & Monitoring
A. Monitoring Systems
Internal Monitoring:
- Establish channels for employees and volunteers to report issues
- Set up an internal “red flag” reporting system
External Monitoring:
- Use media monitoring tools to track mentions in news outlets
- Monitor social media platforms for negative sentiment or misinformation
- Set up alerts for unusual activity related to donor feedback or fundraising metrics
B. Early Warning Indicators
Define Key Metrics:
- Track donation patterns and campaign performance indicators
- Monitor website and email traffic for spikes that might indicate a breach
- Identify unusual financial transactions or operational anomalies
Schedule Regular Reviews:
- Hold briefings with the CMT to review early warning signs
- Adjust monitoring parameters as needed based on current risks
III. Crisis Response Activation
A. Initial Steps
Trigger the Crisis Management Plan:
- Confirm that the situation meets crisis thresholds
- Immediately alert the Crisis Management Team via pre-defined communication channels
Secure Critical Assets:
- Protect sensitive data (donor information, financial records, intellectual property)
- If a cybersecurity breach is suspected, work with IT to isolate affected systems
B. Internal Coordination
Hold an Emergency Meeting:
- Gather the Crisis Management Team to assess the situation
- Review the initial facts and decide on the crisis level/severity
Document the Crisis Timeline:
- Record the onset time, initial actions, and all subsequent decisions
- Maintain a central log for transparency and future analysis
IV. Communication Strategy
A. Internal Communication
Notify Staff & Volunteers:
- Send an immediate internal alert with clear instructions
- Explain the situation, known facts, and next steps
- Designate a single point of contact for internal queries
Provide Ongoing Updates:
- Schedule regular briefings with all staff
- Use secure channels (intranet, internal email, messaging apps) for updates
- Remind employees of confidentiality and the importance of consistency
B. External Communication
Develop a Public Statement:
- Prepare an initial statement acknowledging the issue
- Emphasize your commitment to transparency and corrective actions
- Include disclaimers if details are under investigation
Prepare Supporting Materials:
- Create FAQs for media and public inquiries
- Develop talking points for the designated spokesperson
Engage with Donors & Stakeholders:
- Contact major donors, partners, and board members with personalized messages
- Reassure them with clear information on the measures being taken
- Establish a hotline or dedicated email for crisis-related inquiries
Manage Social Media:
- Monitor social media for emerging narratives
- Respond promptly to misinformation with factual, calm messaging
- Use scheduled posts to provide timely updates across platforms
V. Legal, Regulatory, & Financial Considerations
A. Legal & Regulatory
Consult with Legal Counsel Immediately:
- Verify compliance with applicable laws and regulations
- Determine if mandatory notifications to regulators or affected parties are required
Document Every Action:
- Keep detailed records of communications, decisions, and actions
- Ensure all documentation is secured and backed up
B. Financial Management
Assess Financial Impact:
- Review immediate financial risks (donor withdrawal, campaign shortfalls)
- Work with the finance team to quantify potential losses
Implement a Financial Contingency Plan:
- Reallocate resources as necessary to manage cash flow during the crisis
- Evaluate opportunities for emergency fundraising or donor outreach
Engage with Fundraising Commitments:
- Inform prospective and current donors about the steps taken to mitigate the crisis
- Consider organizing a targeted campaign to rebuild donor confidence
VI. IT & Data Security Response (If Applicable)
Activate IT Security Protocols:
- Immediately notify your IT security team and external experts
- Isolate compromised systems to prevent further breaches
Review & Update Data Protection Measures:
- Assess vulnerabilities and initiate system-wide security checks
- Notify affected parties and comply with data breach notification laws if necessary
Document IT Actions:
- Keep a log of all cybersecurity measures taken
- Update IT protocols based on findings during the crisis
VII. Recovery & Business Continuity
A. Stabilization
Implement a Recovery Plan:
- Gradually resume normal operations while monitoring for residual issues
- Prioritize restoring critical functions (donor communications, fundraising operations)
Ongoing Communication:
- Keep stakeholders informed about recovery progress
- Celebrate small milestones to rebuild morale and confidence
B. Business Continuity
Activate Business Continuity Plans (BCP):
- Ensure that alternative work arrangements (remote work, temporary staffing) are in place
- Test systems to verify they are fully operational
Reassess and Update Protocols:
- Evaluate which systems or processes need strengthening
- Implement improvements to prevent future crises
VIII. Post-Crisis Evaluation & Improvement
A. Debrief & Analysis
Conduct a Post-Crisis Review Meeting:
- Involve all key members of the Crisis Management Team
- Discuss what went well, what could be improved, and any unexpected challenges
Gather Feedback:
- Solicit input from staff, donors, and stakeholders
- Use surveys or debrief sessions to understand the overall response
Document Lessons Learned:
- Update the Crisis Management Plan and Training materials based on insights
- Archive all records of the crisis response for future reference
B. Long-Term Improvements
Revise Communication Strategies:
- Improve internal and external communication protocols based on feedback
- Refine media and social media guidelines for rapid response
Plan Follow-Up Training:
- Schedule additional drills and update training sessions
- Ensure the organization is better prepared for any future incidents
Report to Leadership & Board:
- Prepare a comprehensive report outlining the crisis timeline, actions taken, and recovery outcomes
- Recommend strategic changes or investments needed to bolster resilience